Cybercriminals have found a new way to stay hidden in plain sight. They’re using artificial intelligence to cloak phishing sites, fake stores, and malware traps, shielding them from scanners while still reaching real victims. This was revealed by recent research from SlashNext.
It’s not a trick, but a service. And it’s catching on fast.
These platforms (part of a growing ecosystem known as cloaking-as-a-service or CaaS)use machine learning and behavioral profiling to show one version of a website to security systems and another to everyone else. To a crawler, the page looks clean. To a person, it’s a scam.
A New Layer of Deception
Cloaking isn’t new. It started in shady corners of online advertising. But now, AI is giving it a serious upgrade.
Instead of relying on simple user-agent checks or IP filtering, cloaking services today use JavaScript fingerprinting, dynamic content swapping, and hundreds of behavioral signals. The result: malicious pages that detect who’s watching and adapt accordingly.
Google’s Trust and Safety team flagged the rise of AI cloaking in late 2024. The warning was clear. Threat actors were deploying the same evasion tools used in ad fraud, only now to protect phishing kits, credential harvesters, and ransomware loaders.
Hoax Tech and JS Click Cloaker
Two platforms illustrate just how sophisticated cloaking has become.
Hoax Tech uses JavaScript fingerprinting and a custom AI engine called Matchex to identify bots. It collects data on screen resolution, browser plugins, language settings, and more. The engine then compares these attributes against a vast database of known behaviors to decide whether the visitor is safe or suspicious.
If flagged, the visitor sees a clean “white page.” If trusted, they’re shown the “black page” or the real scam.
JS Click Cloaker takes it further. It analyzes over 900 parameters per visit. It doesn’t just check browser settings. It looks at how fast a page loads, whether the browser is headless, what kind of device is being used. Suspicious signals? Rerouted or blocked. Real users? Sent straight to the bait.
Both services advertise themselves as traffic security tools for marketers. But in underground forums, criminals openly discuss using them to protect fake banks, crypto scams, and malicious download sites. For as little as $100 a month, they get enterprise-grade evasion.
White Page, Black Page – The Mechanics of Cloaking
Here’s how it works:
When someone visits a cloaked site, the platform decides in real time what they’ll see.
If they look like a bot (a known IP, datacenter location, odd headers, or non-human behavior) they’re served the white page. Nothing harmful or to flag.
If they look human (natural mouse movement, realistic user-agent, valid ad ID) they’re routed to the black page. That might be a fake login, a malware link, or a crypto scam.
The deception is seamless. Security scanners report the site as safe. Victims don’t suspect a thing.
Cloaking extends the life of malicious pages. Sites stay up longer. Scams reach more victims. Takedowns are delayed.
By masking intent until the last moment, threat actors gain a crucial edge. It’s camouflage—selective, adaptive, and machine-driven.
How Defenders Are Fighting Back
The good news? Defenders are adapting, too.
Platforms like SlashNext use behavioral analysis and real-time scanning to outsmart cloaking. Instead of checking a URL with a static scanner, they launch a virtual browser. They interact with the page. They watch what happens when a button is clicked or when a form is filled.
This exposes content-switching behavior; the kind that cloakers rely on.
Multi-Perspective Scanning: Defenders now test links from different angles. One scan might mimic a mobile device from Brazil. Another, a headless browser from Virginia. If the responses vary, the site is likely cloaked.
This differential analysis doesn’t need to catch the black page on the first try. It just needs to catch the inconsistency.
Heuristics and Red Flags: Cloaking tools often leave fingerprints of their own. Heavy use of JavaScript fingerprinting libraries, unusual amounts of environment data collection, or logic that swaps content based on subtle checks; all can be indicators.
The Arms Race Continues
Cloaking isn’t just an evasion technique anymore. It’s a service that is modular and scalable.
Malefactors have given their phishing infrastructure a defense layer. They’re treating scam campaigns like software startups, complete with customer segmentation, A/B testing, and threat detection evasion.
Defenders will need to keep pace. That means faster detection. Smarter scanning. And better tooling that sees what users see, not just what bots see.
The fight is no longer just about finding the scam. It’s about seeing through the illusion before the victim ever clicks.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.